Skip to main content

ALNUR — Open-source end-to-end vulnerability identifier for applications

Project description

ALNUR

Open-Source End-to-End Vulnerability Scanner

ALNUR is an open-source, end-to-end security vulnerability scanner for application projects. Point it at any project directory and it acts as your security analyst — detecting CVEs in dependencies, leaked secrets, architecture flaws, standards violations, risky port configurations, and — uniquely — security risks in agentic AI applications.


Features

Module What It Checks
CVE Scanner Queries OSV.dev for known CVEs across all detected packages
Secret Detection Finds hardcoded API keys, tokens, passwords, and private keys using patterns + entropy analysis
Architecture Analysis 30+ SAST rules covering injection, weak crypto, insecure deserialization, misconfigurations
Agentic AI Analysis 30 rules targeting LLM/agent-specific risks: prompt injection, excessive tool permissions, unauthenticated endpoints, exfiltration combos, MCP misconfigurations
Standards Compliance Gitignore hygiene, lockfile presence, CI/CD, test suite, Docker best practices
Port Risk Analysis Flags dangerous ports in Dockerfiles, docker-compose, config files, and .env
LLM-Enhanced Analysis Optional AI-powered executive summary and remediation guidance (OpenAI / Anthropic / Groq / Mistral / Ollama)

Supported Project Types

Node.js · React · Vue.js · Next.js · Express.js · Python · Django · Flask · FastAPI · PHP · Laravel · Symfony · Ruby · Ruby on Rails · Go · Rust · Java (Maven/Gradle) · Spring Boot · .NET

Installation

pip install alnur

Or install from source:

git clone https://github.com/Threads-Beams/ALNUR
cd ALNUR
pip install -e .

Quick Start

# Scan current directory
alnur scan .

# Scan a specific path
alnur scan /path/to/my-project

# Generate HTML report
alnur scan . --output html --output-file report.html

# Generate all formats
alnur scan . --output all --output-file report

# Show only high+ severity issues
alnur scan . --severity high

# Detect project type only (fast)
alnur detect .

CLI Reference

alnur scan [PATH] [OPTIONS]

Options:
  -o, --output [console|json|html|all]            Output format (default: console)
  -f, --output-file PATH                          Write report to file
  -s, --severity [critical|high|medium|low|info]  Minimum severity (default: low)
  --skip-cve                                      Skip CVE check
  --skip-secrets                                  Skip secret detection
  --skip-arch                                     Skip architecture analysis
  --skip-agentic                                  Skip agentic AI security analysis
  --skip-standards                                Skip standards compliance
  --skip-ports                                    Skip port risk analysis
  --no-llm                                        Disable LLM-enhanced analysis
  --no-dev                                        Exclude dev dependencies
  -v, --verbose                                   Show recommendations inline
  -q, --quiet                                     Suppress progress output

Risk Grading

Grade Score Meaning
A 0–19 Low risk — keep it up
B 20–49 Minor issues — review low-priority findings
C 50–99 Moderate risk — address before production
D 100–199 High risk — urgent remediation needed
F 200+ Critical — do not deploy

Output Formats

  • Console — Rich colored terminal output with tables and severity badges
  • JSON — Machine-readable structured report (CI/CD integration)
  • HTML — Self-contained dark-theme security dashboard, no external dependencies

Exit Codes

Code Meaning
0 Scan completed — no critical/high issues
1 Critical or high severity issues found

CVE Data Source

ALNUR uses the OSV.dev API — a free, open vulnerability database covering npm, PyPI, Maven, NuGet, RubyGems, crates.io, Packagist, Go modules, and more. No API key required.

Agentic AI Security

ALNUR automatically detects files that import LangChain, CrewAI, AutoGen, LlamaIndex, OpenAI Agents, Anthropic SDK, and other agentic frameworks, then applies 30 dedicated rules:

Rule Range Category Severity
AGENT001–004 Secrets in agent context / hardcoded LLM keys HIGH/CRITICAL
AGENT005–007 Prompt injection surfaces CRITICAL
AGENT008–014 Excessive tool permissions (shell, filesystem, SQL, email) HIGH/CRITICAL
AGENT015–016 Unauthenticated agent endpoints CRITICAL
AGENT017–018 Data exfiltration combos (DB + outbound HTTP) HIGH
AGENT019–022 MCP server misconfigurations HIGH/CRITICAL
AGENT023–030 Missing human-in-the-loop, unsafe delegation, code execution HIGH/CRITICAL

Optional LLM-Enhanced Analysis

Set any supported API key and ALNUR will automatically include an AI-generated security review at the end of each scan — no extra flags needed.

Environment Variable Provider Default Model
OPENAI_API_KEY OpenAI gpt-4o-mini
ANTHROPIC_API_KEY Anthropic claude-haiku-4-5
GROQ_API_KEY Groq llama-3.1-8b-instant
MISTRAL_API_KEY Mistral mistral-small-latest
OLLAMA_HOST Ollama (local) llama3.2

Override any setting with environment variables:

export ALNUR_LLM_PROVIDER=anthropic    # force a specific provider
export ALNUR_LLM_MODEL=claude-sonnet-4-6  # override the model
export ALNUR_LLM_BASE_URL=http://...   # custom endpoint / proxy

Use --no-llm to disable the feature even when a key is present.

Architecture Rules (Sample)

Rule Category Severity
INJ001–009 SQL / Command Injection HIGH/CRITICAL
DESER001–003 Insecure Deserialization HIGH
CRYPTO001–004 Weak Cryptography MEDIUM/HIGH
TLS001–004 SSL/TLS Misconfiguration MEDIUM/HIGH
DJANGO001–005 Django Misconfiguration MEDIUM/HIGH
FLASK001–003 Flask Misconfiguration MEDIUM/HIGH
NODE001–004 Node.js Misconfiguration MEDIUM/HIGH
DOCKER001–003 Container Security MEDIUM/HIGH
XSS001–002 Cross-Site Scripting HIGH
PATH001–002 Path Traversal HIGH

Suppressing False Positives

Add # alnur: ignore to any line to exclude it from all scan results:

API_KEY = os.environ.get("API_KEY", "default-value")  # alnur: ignore

Contributing

Contributions are welcome. To add a new architecture rule, add an entry to _RULES in alnur/analyzers/architecture.py. To add a new agentic AI rule, add to _RULES in alnur/analyzers/agentic.py. To add a new secret pattern, add to _PATTERNS in alnur/analyzers/secrets.py.

pip install -e ".[dev]"
pytest

License

MIT — see LICENSE


ALNUR — illuminating what's hidden in your codebase.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alnur-1.0.2.tar.gz (52.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alnur-1.0.2-py3-none-any.whl (57.3 kB view details)

Uploaded Python 3

File details

Details for the file alnur-1.0.2.tar.gz.

File metadata

  • Download URL: alnur-1.0.2.tar.gz
  • Upload date:
  • Size: 52.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for alnur-1.0.2.tar.gz
Algorithm Hash digest
SHA256 57ea0176ae346fbdbb30f0ee874702d3ff72241c229733e03000dc8e431e5035
MD5 26d5d7323c28407a14afc808ddeef260
BLAKE2b-256 a6e614fca194a921745f084f97508316b35c3c1c1df5a057648940ae175e9dd9

See more details on using hashes here.

Provenance

The following attestation bundles were made for alnur-1.0.2.tar.gz:

Publisher: publish.yml on Threads-Beams/ALNUR

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alnur-1.0.2-py3-none-any.whl.

File metadata

  • Download URL: alnur-1.0.2-py3-none-any.whl
  • Upload date:
  • Size: 57.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for alnur-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 c60a4885277d8b5fae864363cb9860054a7fbec28b850fd9d31b26e0c2688d6e
MD5 993f0300d82ad0c2d6582485842a99dc
BLAKE2b-256 ab41bf6aeac15818d4730fc747e07742c966493ba025baf242c2fac99b8e40be

See more details on using hashes here.

Provenance

The following attestation bundles were made for alnur-1.0.2-py3-none-any.whl:

Publisher: publish.yml on Threads-Beams/ALNUR

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page